The Seven Deadly Myths of Software Security

With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional risk that poor security introduces. And while the risk is becoming clearer, methods to defend applications from attack remain murky. Further clouding the picture, the responsibility for application security tends to fall organizationally in a netherworld between the offices of the CSO (complianceand risk), the CTO (application development), and the CIO (information operations). All three groups are committed to the business succeeding (which also means keeping the business safe), but their charters and approaches tend to be very different. For any given aspect of security or functional role within the organization, one can find lists of “best practices” from a wide range of sources. While these lists cans ometimes be helpful, unfortunately, they have lead to many “myths” about application security that have taken root. In this paper, we outline some of the most prevalent myths about security that you should consider when looking to improve the security of your software. Falling prey to these deadly myths could at best cause you to waste valuable cycles on useless “security” activities or at worst, cause your applications to be less secure.